WO2008094779A1 - Master-slave security devices - Google Patents

Master-slave security devices Download PDF

Info

Publication number
WO2008094779A1
WO2008094779A1 PCT/US2008/051575 US2008051575W WO2008094779A1 WO 2008094779 A1 WO2008094779 A1 WO 2008094779A1 US 2008051575 W US2008051575 W US 2008051575W WO 2008094779 A1 WO2008094779 A1 WO 2008094779A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
master
master device
bean
devices
Prior art date
Application number
PCT/US2008/051575
Other languages
French (fr)
Inventor
David James Foster
Shon Schmidt
David Jaroslav Sebesta
Curt Andrew Steeb
William J. Westerinen
Zhangwei Xu
Todd L. Carpenter
Original Assignee
Microsoft Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corporation filed Critical Microsoft Corporation
Publication of WO2008094779A1 publication Critical patent/WO2008094779A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

Definitions

  • a power supply 222 may have a signal output 224 indicating when the power supply is at voltage and stable. As discussed above, the power supply may have one or more outputs (not depicted) coupled to each active system component. For the purpose of this discussion, output 224 will be presumed to be a "power OK" signal, but other signals, including the power bus lines themselves, may be involved. Each component with a power OK input will remain non-operational until the power OK signal input transitions to a designated active state, for example, a logic 1 value.
  • Fig. 4 a simplified and representative block diagram of a master device 400, the same as or similar to the master device 226 of Fig. 3, is discussed and described.
  • the master device 400 may include a processor 402, a communication port 404, a secure memory 410, the cryptographic function 412 and a clock or timer 414.
  • the processor 402 may be a core processor implemented in a custom or so accustomed design, or may be part of a single-chip computer, or may be one component in a multi-chip module (MCM).
  • Communication port 404 may support more than one communication protocol, for example as depicted in Fig. 4, connection 406 supports communication with slave devices, such as slave device 300 of Fig. 3, using, for example, an SPI protocol.
  • the communication port 404 may also support a conventional system bus interface to other components of a system incorporating the master device 400, such as the system 200 of Fig. 2.
  • execution may follow the 'no' branch from block 516 to block 510 and the loop followed until either a valid reset message is received or the timer expires. If, at block 516, the timer has expired, the 'yes' branch from block 516 may be followed to block 518 and the switch 314 set to the disabled position. The security bean 300 may remain in that state until another power-on/restart process is initiated. In other embodiments, a path from block 518 to block 512 may exist allowing a reset message to be validated in the security bean 300 to set an enabled mode without a restart.

Abstract

A computer or other electronic device requiring physical integrity of its components, for example, a pay-per-use computer may use a master security device in communication with a plurality of slave security devices, known as security beans. Each security bean may be given a cryptographic key or keys for use in authenticating communication with the master security device. Each security bean may be coupled to an associated component and may have the ability to disable that associated component. In one embodiment, security bean has an analog switch that may be configured to block or attenuate a critical signal used by the associated component. The security bean may start up in the disable mode and respond to a verified signal from the master security device to enable its corresponding component.

Description

MASTER-SLAVE SECURITY DEVICES
BACKGROUND
[0001] When a business model allows selling a product at little or no cost and recoups the product's cost by selling services, such as with cellular phones, a key element is the ability to render the product useless if the terms of the service contract are not fulfilled. For example, if a cellular phone service subscriber fails to pay the agreed-to monthly fee, the service provider can simply turn off the phone's access to the network. Because the value of the phone is extremely limited if it cannot make phone calls, the service provider's investment is protected. Further, because the cellular phone may have little or no street value, there is little incentive to defraud the service provider for the sole purpose of getting an inexpensive cellular phone.
[0002] However, a subsidized computer may have considerable use and value when not connected to a network. Therefore, a business model that supplies computers or other high intrinsic value electronic devices to consumers at a subsidized initial cost along with a services contract, e.g. Internet service access, must have a way of limiting access to the computer when the terms of contract are not fulfilled. Given the sophistication and ingenuity of hackers, it may be difficult, if not impossible, to provide cost effective protection from every possible hack. One significant danger is a software-only hack that can be virally spread through the Internet and executed using a script.
SUMMARY
[0003] To counter widespread hacking attempts, a computer or other electronic device may be protected, at least in part, using small, inexpensive security elements, or security beans that operate in conjunction with a security master device. Even though an individual security bean may not pose a significant hurdle to a hacker, the cost and risk of damage to a computer when faced with disabling a multitude of security beans may deter most hackers. Cryptographically personalizing each security bean may require that a software hack extract a key for each security bean or device, raising the bar for a successful software hack. Further, because the security bean itself may be implemented with a very small footprint, the security bean may be incorporated on the same chip with other devices, such as controllers and I/O managers. [0004] One embodiment of a security bean incorporates an analog switch that may be selectively turned on or off by an event. The event may be a signal from the security master device or may be internally generated by a timer when a heartbeat signal is not timely received. To keep costs down, the security bean may use a hardware-based communication protocol and have limited computational and memory capacity. Each security bean may have a unique secret for securing communication between the security bean and the security master device and to increase the burden on a hacker of extracting keys for each separate security bean. The use of unique secret keys increases the difficulty of a software attack. Sheer numbers, in one embodiment, dozens, of security beans can increase the cost of a hardware attack accomplished through removing or jumpering over security beans. The cost of hardware attacks can be increased dramatically when security beans are built into larger, high function chips, such as a Northbridge or Southbridge.
BRIEF DESCRIPTION OF THE DRAWINGS [0005] Fig. 1 is a simplified and representative block diagram of a prior art computer;
[0006] Fig. 2 is a block diagram of a simplified and representative computer in accordance with the current disclosure;
[0007] Fig. 3 is a simplified and exemplary block diagram of a security device or security bean;
[0008] Fig. 4 is a simplified and exemplary block diagram of a master device;
[0009] Fig. 5 is a flow chart depicting a method of operating a security bean;
[0010] Fig. 6 is a flow chart depicting an alternate method of operating a security bean;
[0011] Fig. 7 is a flow chart depicting a method of operating a master device; and
[0012] Fig. 8 is a flow chart depicting a method of configuring security beans to a master device.
DETAILED DESCRIPTION
[0013] Although the following text sets forth a detailed description of numerous different embodiments, it should be understood that the legal scope of the description is defined by the words of the claims set forth at the end of this disclosure. The detailed description is to be construed as exemplary only and does not describe every possible embodiment since describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.
[0014] It should also be understood that, unless a term is expressly defined in this patent using the sentence "As used herein, the term ' ' is hereby defined to mean..." or a similar sentence, there is no intent to limit the meaning of that term, either expressly or by implication, beyond its plain or ordinary meaning, and such term should not be interpreted to be limited in scope based on any statement made in any section of this patent (other than the language of the claims). To the extent that any term recited in the claims at the end of this patent is referred to in this patent in a manner consistent with a single meaning, that is done for sake of clarity only so as to not confuse the reader, and it is not intended that such claim term by limited, by implication or otherwise, to that single meaning. Finally, unless a claim element is defined by reciting the word "means" and a function without the recital of any structure, it is not intended that the scope of any claim element be interpreted based on the application of 35 U.S. C. § 112, sixth paragraph.
[0015] Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions and integrated circuits (ICs) such as application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring the principles and concepts in accordance to the present invention, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts of the preferred embodiments.
[0016] Fig. 1 is an architectural diagram of a prior art computer 10, representing a number of similar architecture electronic devices, including but not limited to, cellular telephones, personal digital assistants, media players, gaming systems, etc. The architecture of the computer 10 may be typical of general-purpose computers widely sold and in current use. A processor 12 may be coupled to a graphics and memory interface 14. The graphics and [0017] memory interface 14 may be a "Northbridge" controller or its functional replacement in newer architectures, such as a "Graphics and AGP Memory Controller Hub" (GMCH). The graphics and memory interface 14 may be coupled to the processor 12 via a high speed data bus 34, such as the "Front Side Bus" (FSB), known in computer architectures. The processor 12 may also be connected, either directly or through the graphics and memory interface 14, to an input/output interface 20 (I/O interface). The I/O interface 20 may be coupled to a variety of devices represented by, but not limited to, the components discussed below. The I/O interface 20 may be a "Southbridge" chip or a functionally similar circuit, such as an "I/O Controller Hub" (ICH). Several vendors produce current-art Northbridge and Southbridge circuits and their functional equivalents, including Intel Corporation.
[0018] A variety of functional circuits may be coupled to either the graphics and memory interface 14 or the I/O Interface 20. The graphics and memory interface 14 may be coupled to system memory 16 and a graphics processor 18, which may itself be connected to a display (not depicted). A mouse/keyboard 22 may be coupled to the I/O interface 20. A universal serial bus (USB) 24 may be used to interface external peripherals including flash memory, cameras, network adapters, etc. (not depicted). Firmware, such as a basic input output system (BIOS) 26 may be accessed via the I/O interface 20. Nonvolatile memory 28, such as a hard disk drive or any of a number of other non- volatile memories, may also be coupled to the I/O interface 20.
[0019] The power supply 30 may be used to supply energy to each of the devices in the computer 10. A power supply output 32 is marked on Fig. 1 with the letter A. In one embodiment, the power supply output 32 is the actual power source for the operational components. In another embodiment, the power supply output 32 may be a "power OK" signal that is used by the other devices to determine when the power supply is stable and at the correct voltage for operation. The other devices may then begin a power on sequence.
[0020] Fig. 2 illustrates a computer 200, or other processor-based device, as listed above, adapted for use with a master-slave security device or devices. Similar to the apparatus in Fig. 1, the computer 200 may have a processor 202, and two major support chips: a memory/graphics interface 204 and an I/O interface 210, e.g. a Northbridge and a Southbridge. The memory/graphics interface 204 may support a graphics processor 208 and system memory 206. The graphics processor 208 may be coupled to a monitor or other [0021] display (not depicted). The I/O interface 210 may support a mouse/keyboard 212 or other input devices. A universal serial bus (USB) 214 may be used to interface external peripherals including flash memory, cameras, network adapters, etc. (not depicted). Nonvolatile memory 216, such as a hard disk drive or any of a number of other non- volatile memories, may also be coupled to the I/O interface 210. A master device 226 may include memory storing one or more BIOS images for use in booting the computer 200. The master device 226 may also include other functions associated with metering and other system verification and enforcement measures. For the purpose of clarity, those aspects of the master device 226 will not be discussed in this disclosure. The master device 226 may have separate communication channels, a first channel 227 may be used to communicate with slave security devices, or "security beans" (SBs). The second channel 228 may be coupled conventionally to the I/O interface 210. Additional communication channels may be supported, for example, a separate communication channel for each configuration of security devices (see below).
[0022] The processor 202 and memory/graphics interface 204 may be connected as above, with a front-side bus 218. The memory/graphics interface 204 to I/O interface 210 connection may be a high speed system bus 219. The system bus 219 may be used to generate clock signals for other high speed buses, such as an I/O interface 210 to non- volatile memory 216 interface 220. Other configurations of system components, including processors with integrated memory controllers, known in the industry, or alternative bus structures, such as Hypertransport®, may also be used.
[0023] A power supply 222 may have a signal output 224 indicating when the power supply is at voltage and stable. As discussed above, the power supply may have one or more outputs (not depicted) coupled to each active system component. For the purpose of this discussion, output 224 will be presumed to be a "power OK" signal, but other signals, including the power bus lines themselves, may be involved. Each component with a power OK input will remain non-operational until the power OK signal input transitions to a designated active state, for example, a logic 1 value.
[0024] As will be discussed in more detail below with respect to Fig. 3, a security device or a security bean (SB) may operate as a connect/disconnect switch between two points and may be installed in any of several configurations. In a first configuration, one or more security beans 230 may be coupled in a serial fashion to the power OK input of a number of [0025] system components, including the memory/graphics interface 204, system memory 206, graphics processor 208, USB port 214, and nonvolatile memory 216. In this configuration, the switching function in the security bean 230 may start in the normally off (disconnected) mode and block the power OK signal 224 from the power supply 222, effectively disabling each connected component. When the master device 226 determines that criteria have been met for operations, the master device 226 may send an activation signal to each of the security beans 230 instructing each one to close its switching function and couple the power OK signal 224 to its respective component, allowing that component to start in a normal fashion.
[0026] In another configuration of the slave device, security bean 232 is shown coupled between the mouse/keyboard 212 and the I/O interface 210. As above, the default configuration for the security bean 232 may be with switch function open, blocking any signals between the mouse/keyboard 212 and the I/O interface 210. When the master device 226 determines that criteria have been meant for operations, the master device 226 may send instructions to close the switching function and enable the mouse/keyboard 212. Because the security device authentication process may be completed very early in the boot process, the mouse/keyboard 212 may be active prior to BIOS system checking, so initial blocking should not cause a system error. Alternatively, because in some embodiments the BIOS is hosted in the master device 226 and may be aware of the security bean 232, the BIOS may be able to selectively activate devices during initial system checking when booting.
[0027] Another configuration of the slave device is illustrated by security bean 234 and associated load 236, shown in this exemplary embodiment attached to system buses 219 and 220, or more specifically, to a single signal path on each respective bus. In this configuration, the security bean 234 switch function may be normally closed, coupling load 236 to the respective bus 219 or 220. Coupling the load 236 to a bus may alter the transmission characteristics sufficiently to render the bus in operable, for example, if coupled to a clock line. Additional security beans configured in this fashion may be attached to multiple lines of a data bus, thereby disabling each respective data line.
[0028] Lastly, security bean 238 is shown unattached. One or more unattached security beans 238 may be placed in an electronic device, and even coupled to signal connections, such as a ground plane, to act as decoys to further raise the bar of disabling active security beans 230 232 234. Depending on the exact design of the security bean, e.g. bean 230, the [0029] security bean have a material cost of well less than a dollar, allowing widespread deployment without significant impact on end-user price, while creating a significant cost of hacking in terms of time, tools, and risk of damage to the computer or other protected electronic device. Additional decoys, or dummy devices, may be attached to real components but factory-set to perpetual mode (see below) so that they do not participate in communication between the master device and other security beans. Such devices may also be loaded with dummy keys to obfuscate key extraction efforts. In other embodiments, decoy devices may be in communication with the master device 226 and respond to ping requests, although have no connection to other components in the electronic device.
[0030] Other configurations of masters and security beans may be implemented. For example, some implementations may use multiple masters with either separate or overlapping coverage on associated security beans. That is, one security bean may respond to more than one master, or the beans on a system may each respond to one of the multiple masters. As with dummy security bean 238, a second or more master devices simply increases the difficulty of hacking a system. As discussed more below regarding initial setup, the security beans may be randomly assigned to master devices to help prevent 'cookbook' attacks.
[0031] As mentioned above, an alternative embodiment may be to place security bean circuitry in major components, such as the Northbridge, Southbridge, their equivalents, or other high activity components, such as network interface card. In some cases, additional, separate I/O could be used for communication with such security circuitry, but in most cases, it is likely that such communication would be through whatever port or bus the component already uses. When this is the case, the base circuitry of the component may require additional functionality to route communications with the security bean that arrive or are sent over the standard port.
[0032] Fig. 3 is a simplified and exemplary block diagram of a security device, also known as a slave device or a security bean 300. A processor 302 may execute programs and control communications with a master device, such as the master device 226 of Fig. 2. A communications port 304 may manage communication protocol over interface 305, such as a serial peripheral interface (SPI). The security bean 300 may also include a secure memory 306, a cryptographic function 308, an optional timer 310, a switch control 312, and a switch 314 with an input coupling 316 and an output coupling 318. [0033] The processor 302 may be a microprocessor with a standard or reduced instruction set but may also be an application specific integrated circuit (ASIC) implementing simple logic or a state machine. The communication port 300 for may be a dedicated port, may be a separate ASIC circuit implementing a communication protocol in hardware, or may be incorporated in the processor 302.
[0034] The secure memory 306 may include both volatile and nonvolatile memory for use in storing persistent data as well as for use by the processor 302 during operation. The secure memory 306 may include keys 322, a hash algorithm 324, and program code 326, as well as a perpetual flag 328 and a default state flag 330. The keys 322 may include a local master key accepted from a master device 226 during configuration with the master device 226. Derived keys, session keys, or local hash values may also be stored in the keys section 322. The hash algorithm 324 may be any of a number of known algorithms, such as MD5 or SHA-256. Program code 326 may be executable instructions that the processor 302 can use during both configuration and normal operation phases. The perpetual state 328 stored at in the secure memory 306 may be a simple flag used to indicate whether the security bean 300 should be permanently placed in a normal operating state or a so-called perpetual state. The perpetual state may be used to turn off all security functions in a computer. This may include setting the security bean 300 so that the computer can operate without any restrictions, for example, after a subscriber has successfully met contractual terms for a subsidized purchase and takes full ownership of the computer or electronic device. The default state 330 may be set to determine whether the default value (i.e. the state of the switch 314 required to disable its associated component) for switch control 312 is open or closed, depending upon the use of the security bean 300 in a circuit.
[0035] The cryptographic function 308 may include a hash function for use instead of or in conjunction with a hash algorithm 324 stored in the secure memory 306. The cryptographic function 308 may also include a random number generator (RNG) for use in challenge/response communication with the master device 226. The cryptographic function 308 may include general encryption/decryption functions which may be used, in part, for generating and verifying a message authentication code (MAC).
[0036] The optional timer 310 may be used as described below when the security bean 300 operates to disable its respective circuit unless reset during a timeout period, set by the timer 310. [0037] The switch control 312 may be simple logic to convert a command from the processor 302 to control and persist the state of switch 314. Switch 314 may be an ordinary analog switch, known in the art. Even though signal lines 316 and 318 have been designated as an input coupling and output coupling respectively, in one embodiment, the signal lines 316 318 are interchangeable. In other embodiments, the switch 314 may be another form of control, such as a variable resistor, variable capacitor, current source or the like. These alternate forms of control may allow tuning performance beyond a simple on/off. For example, a bus speed or graphics controller clock rate may be controlled to impede, but not completely disable the associated component and, as a result, negatively affect performance, but not disable the entire computer.
[0038] During initial setup, a key may be accepted from the first party who presents a valid format key. Ideally, this operation would take place in a secure environment since the security bean 300 may not have a transport key for encrypting the communication link 305 during initial set up. The key may be derived key based on a security bean serial number and a master key installed in the master device 226. When multiple masters are used, the masters may alternate this binding process or use random responses from security beans to generate a split between a first master and one or more other masters. Additionally, the default state 330 may be set during initial setup so that the switch 314 is either normally on or normally off upon power up. The key memory 322 and default state flag 330 may be a write-once memory, such as a fusable link or other one-time programmable technology. In some embodiments, the perpetual flag 328 may also be a one-time programmable memory.
[0039] After installation, setup, and upon startup the security bean 300, the switch 314 may be set to the default state and the security bean 300 may wait for communication from the master device 226. Using a normal challenge/response, the master device 226 and the security bean 300 may mutually authenticate each other. The master device 226 can send a signal that sets the security bean 300 to enable its associated component, be it a power OK signal 230, a signal path 232, or a bus load 234. A dummy device 236 may be powered and may also be in communication with the master device 226, in order to further obfuscate the active devices.
[0040] As described below, several alternatives exist for security bean 300 operation, including but not limited to timeout, ping response, and a combination of the two. In timeout operation, the bean 300 begins a timeout period as soon as switch 314 is set to the enabled [0041] mode after power up. After a predetermined time the timer 310 may expire, for example, in one minute, and the switch 314 transitioned to disable its respective component. The timeout timer 310 may be reset by an authenticated signal from the master device 226. In another embodiment, the bean 300 may start in the enabled mode and begin its timing cycle without communication from the master device 226. The switch 314 may be set to disabled mode unless the timer is reset by the authenticated signal from the master device 226 during the timeout period.
[0042] In the ping response mode, the security bean 300 may start in the disabled mode and wait for an authenticated signal to switch to the enabled mode. Subsequently, the master device 226 may ping the security bean 300, to which the security bean 300 may reply. After collecting ping response data from all the security devices 300 installed and configured, the master device 226 may determine that enough beans 300 have not responded and a tampering problem may exist. At that point, the master device 226 may send a disable signal to all responsive security beans 300, causing them to switch to disabled mode. In some embodiments, the disable bit 330 may be set by the disable signal, so that during the next power cycle or reset cycle, the security bean 300 may stay in the disabled mode until explicitly turned off by the master device 226. This may be useful if the security bean 300 is configured to boot into an enabled mode.
[0043] The security bean 300 may store more than one version of key, so that a challenge/response transaction may include a key version for use in creating the appropriate session key. The security bean 300 may also store an encryption key and a signing key, when required by a particular protocol.
[0044] When contract terms have been satisfied, a host server (not depicted) or other trusted device, may send a signal to the master device 226 that the computer 200 should go perpetual, indicating that all security measures should be de-activated. In one embodiment, when the perpetual bit 328 is set, the security bean 300 may always boot to the enabled state, ignore the timer if present, and ignore messages from the master device 226. In another embodiment, the perpetual flag 330 may be reset, for example, when a computer is traded in for an upgrade and recycled.
[0045] Fig. 4, a simplified and representative block diagram of a master device 400, the same as or similar to the master device 226 of Fig. 3, is discussed and described. The master device 400 may include a processor 402, a communication port 404, a secure memory 410, the cryptographic function 412 and a clock or timer 414. The processor 402 may be a core processor implemented in a custom or so accustomed design, or may be part of a single-chip computer, or may be one component in a multi-chip module (MCM). Communication port 404 may support more than one communication protocol, for example as depicted in Fig. 4, connection 406 supports communication with slave devices, such as slave device 300 of Fig. 3, using, for example, an SPI protocol. The communication port 404 may also support a conventional system bus interface to other components of a system incorporating the master device 400, such as the system 200 of Fig. 2.
[0046] The secure memory 410 may include key memory 418 storing a device master key and slave keys generated for each slave associated with the master device 400. A hash algorithm 420 may be stored in the secure memory 410 for use one hashing is calculated by the processor 402. Program code 422 may include executable code for managing the operation of the master device 400. In implementations where the master device 400 manages BIOS code, such BIOS code 424 may be stored in a secure memory 410. A secure boot, or at least a boot cycle using known BIOS code, may be necessary to ensure that the master device 400 and its associated security beans 300 are operational and enabled before boot processes associated with initially deactivated components begin. Configuration information 426 may be used to store information regarding known security beans, their mode of operation, and if perpetual mode is active.
[0047] The cryptographic function 412 may be as simple as a random number generator and a block cipher function, or may incorporate a smart chip with full cryptographic capability including public key algorithms, and communicate with the processor 402 using an ISO 7816 interface.
[0048] A clock or timer 414 may be used to determine timeout periods during which security beans 300 must respond to a ping. When the master device 400 also incorporates metering functions associated with pay-per-use operation, the clock or timer 414 may be directed to that purpose also.
[0049] In operation, the master device 400 may operate in one of several modes. In one embodiment, after cataloging and sending a derived key to each security bean 300, the master device 400 may periodically send an encrypted, or MACd, reset signal to each security bean 300. Upon verification of the reset signal, the bean may reset its timeout timer and normal operation is preserved. In another embodiment, the master device 400 may periodically ping each catalogued security bean 300. If enough security beans 300 do not respond in a timely fashion, the master device 400 may send a disable signal to each responsive security bean 300. Operation in this fashion is discussed in more detail below with respect to Fig. 7. A combination of operations may be supported, for example, the ping message from the master device 400 may also serve at the timeout timer reset signal at the security bean 300. In this way, should a signal line be cut, the master device 400 can disable the remaining security beans 300 and the disconnected security bean 300 can set itself to disabled mode.
[0050] Fig. 5 is a flow chart illustrating a method 500 of operating a security bean, such as a security bean 300 of Fig. 3. The security bean 300 may be assumed to have a already been configured, that is, received at least a signing key and, optionally, a default value for a position of switch 314. At block 502, the security bean 300 may go through a power on restart process. At block 500 for a determination is made whether the security bean 300 should boot in a normal mode or in a perpetual mode. If a perpetual flag, for example, perpetual flag 328 of Fig. 3, is set, the "no" branch from block 504 may be followed to block 506. At block 506, the security bean 300 may set itself to enable its associated component. In an embodiment where the perpetual mode permanently disables security, the security bean 300 may disable all timers and ignore any incoming messages to allow its associated component normal operation. As discussed with respect to Fig. 2, the security bean switch 314 may be open or closed to enable its associated component, depending upon configuration.
[0051] If, at block 504 the security bean 300 is to operate in the normal mode, that is, with security enabled, the "yes" branch from block 504 may be followed to block 508 and the security bean 300 may set its switch 314 to disable its associated component. To illustrate, if the switch 314 is in series with a power OK line, the switch 314 may be turned off to block the power OK signal to the associated component and the thereby disable it. In another embodiment, if the switch 314 couples a load 236 to a signal line, the switch 314 may be closed to disable the associated signal line. In other embodiments, with a different risk profile, the security bean 300 may be set to enable its associated component.
[0052] At block 510, a timer 310 may be activated and begin a predetermined countdown period. In one embodiment, the countdown period may be one second, although a range of countdown periods may be implemented from very short, for example, 1 ms to quite long, for example, several minutes, depending upon the number of security beans 300 and an assessment of risk. [0053] At block 512, a message may be received from a master device 400. In one embodiment, the message may be validated by taking a hash of a message body, encrypting it with the local signing key, and comparing it with a message authentication code (MAC) value accompanying the message. If the validation passes, the "yes" branch from block 512 may be followed to block 514. If the switch 314 is in the disable position, it may be switched to the enabled position, for example, if this is the first time through this loop. The timeout timer may be reset to its initial value and operation continued at block 510 where the counter may begin counting down from the initial value. If, at block 512, the reset message is not valid the 'no' branch from block 512 may be followed to block 516.
[0054] If, at block 516, the timer has not expired, execution may follow the 'no' branch from block 516 to block 510 and the loop followed until either a valid reset message is received or the timer expires. If, at block 516, the timer has expired, the 'yes' branch from block 516 may be followed to block 518 and the switch 314 set to the disabled position. The security bean 300 may remain in that state until another power-on/restart process is initiated. In other embodiments, a path from block 518 to block 512 may exist allowing a reset message to be validated in the security bean 300 to set an enabled mode without a restart.
[0055] Operation of the master device 400 supporting the security bean operating mode described in Fig. 5 is straightforward. The master device 400 generates an authenticated reset message and sends it to each catalogued security bean 300 at a predetermined interval. The master device 400 may maintain information regarding the operating state of each catalogued security bean 300, but it is not necessary.
[0056] Fig. 6 is a flow chart illustrating another method 600 of operating a security bean 300 to help prevent tampering with a secure electronic device, such as a metered-use computer 200 depicted in Fig. 2. At block 602 a power-on/restart process may be initiated. At block 604, a determination may be made whether the computer 200 is to be used in a normal operating mode. If this is not true, for example, the computer 200 is to be used in a perpetual operating mode, the 'no' branch from block 604 may be followed to block 606 and the security bean 300 may be set to enable its associated component as well as to disable all timers and to ignore any further messages received.
[0057] If, at block 604, the determination is made to operate in the normal operating mode, the "yes" branch from block 604 may be followed to block 608. At block 608 the security bean 300 may set its switch 314 to disable its associated component. As discussed above, disabling the associated component may involve setting the switch 314 to either open or closed depending upon configuration. The disabled setting may be determined by referring to default state flag 330.
[0058] At block 610, a message may be received from the master device 400. At block 612, the security bean 300 may determine if the message from the master device 400 is valid, for example, by checking the MAC code received with the message. If the message is not valid it may be discarded. If the message is valid, the message content may be parsed to determine if it is a ping message, that is, a message simply requesting a response and not necessarily a 'ping' message as defined by the Ethernet protocol. When the message is a ping, the "yes" branch from block 612 may be followed to block 614 and the security device 300 may respond to the ping with a MACd message using a previously installed symmetric key known to the master device 400.
[0059] If, at block 612, the message is not a ping, the 'no' branch from block 612 may be taken to block 616. At block 616, the message contents may be evaluated to determine the message type. If the message is a disable message, the "disable" branch from block 616 may be taken to block 618 in the security bean 300 set to disable its associated component. If the message type is perpetual, the "perpetual" branch from block 616 may be taken to block 620. At block 620, the security bean 300 may be set to enable its associated component and ignore any further pings or state change messages. If, at block 616 the message is unknown, the remaining branch from block 616 may be taken to block 622 the message ignored in the security bean 300 remain in a weight state for the next message.
[0060] Fig. 7 is a method 700 of operating a master device, such as master device 400, in a ping mode corresponding to slave device operation described in Fig. 6. After a power- on/restart sequence at block 702 the master device 400 may begin a sequence at block 704 to ping each configured security bean, such as security bean 300 of Fig. 3. In block 706, the number of valid responses received may be compared to a threshold value corresponding to a required number of valid responses for normal operation. For example, in one embodiment, 75% of the catalogued devices must respond within a one second interval to reach the threshold value. 100% compliance may not be required, for example, to account for dummy devices, or if communication links are slow. If the threshold value is reached, and it is the first time through the loop after power-on/restart at block 702, the "first pass" branch from block 706 may be taken to block 710. An enable message may be sent to each catalogued [0061] security bean 300 indicating that their associated component devices should be enabled.
[0062] If, at block 706 the number of valid responses is above a threshold value and this is the second or more time through the loop, the "yes" branch from block 706 may be taken and the master device 400 may wait a predetermined interval before sending another ping at block 704. When, at block 706, the number of valid responses received during a response period does not reach the threshold value, the "no" branch from block 706 may be taken to block 708 and a disable message may be sent to each catalogued security bean 300. Each catalogued, communicative, security bean 300 may then set itself to disable its associated component. In some embodiments, it may be expected that setting one or two security beans to disable their associated components will be sufficient to halt operation of the computer 200, or other electronic device.
[0063] Fig. 8 is a flow chart illustrating a method 800 of configuring a master device 400 and a plurality of associated security beans, such as security bean 300. At block 802, the master device 400 may be injected with a master key during a manufacturing, a test, or an assembly operation. At block 804, after installation and initial programming, the master device 400 may catalog each security bean 300, for example, using an anti-collision protocol based on a serial number of security bean 300. At block 806, the master device 400 may generate a key for a particular slave device. Using known techniques, the master device 400 may create a derived key using its own master key and slave device serial number or other identifier. In another embodiment, the master may generate an identifying number for a security bean 300, generate a unique derived key using this identifying number and send both the derived key and the identifying number to the security bean 300. In this fashion, a unique key can be programmed for each security bean 300. As mentioned above, both a signing key and an encryption key may be generated, depending on expected security protocols. After generation of the key or keys, the master device 400 may transfer the key, or keys, to the appropriate security bean. Using known techniques, the security bean may accept the key presented and install it in a write-once memory, for example, using fuse structures, or other known one-time write processes. In the interest of keeping costs low, this operation may be performed in the clear, in a secure manufacturing environment. However, more secure techniques using transport keys installed during the silicon manufacturing process may also be followed when more rigid security is required. [0064] At block 808, a check may be made to determine if all associated security beans have been programmed. If not, the "no" branch from block 808 may be taken to block 810 and a next security bean may be selected for programming. If, at block 808, all the security beans have been reprogrammed the "yes" branch may be followed to block 812. At block 812, each security bean 300 may be set with the default state stored in memory location 330 based on whether its associated switch 314 should be open or closed to disable its associated component. In another embodiment, default state 330 may be set at the factory and designated, for example, by part number.
[0065] The use of a master device and a plurality of associated security beans provides a simple, low-cost but highly effective mechanism to enforce physical security in a device such as a pay-per-use computer or other electronic device with an on-going financial obligation. The highest levels of security, and its associated cost, may be confined to the master device while dozens of low cost, lower security devices spread throughout a computer can create an effective barrier to hardware hacking. Every attempt to remove, or jumper across, a security device can increase the risk of damage to the motherboard or associated components. Whether a particular security bean is normally open or normally closed further increases the level of complexity of a hardware hack. The use of dummy devices and multiple configurations of motherboards can make it more difficult to widely disseminate hacking information. Incorporation of security beans into other components, such as a Northbridge or a Southbridge, further increase the security of a system. The techniques described, in combination with other security measures, help to create a security barrier to effectively protect the assets of an underwriter or other entity bearing a financial risk in the sale of a subsidized computer or other electronic device.
[0066] Although the forgoing text sets forth a detailed description of numerous different embodiments of the invention, it should be understood that the scope of the invention is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possibly embodiment of the invention because describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims defining the invention. [0067] Thus, many modifications and variations may be made in the techniques and structures described and illustrated herein without departing from the spirit and scope of the present invention. Accordingly, it should be understood that the methods and apparatus described herein are illustrative only and are not limiting upon the scope of the invention.

Claims

We claim:
1. A device 300 for use in enforcing security in a system 200 comprising: a processor 302, that at least in part, determines when an event has occurred; a port 304 coupled to the processor for communication with a master device; a cryptographic function 308 coupled to the processor for authenticating communications with the master device 226; and a switch 314 coupled to the processor 302 that renders inoperable a corollary device 206 212 220 coupled to the device, the switch responsive to a signal from the processor 302 related to the event.
2. The device of claim 1 , wherein the port is coupled to a communication channel dedicated to communication between the master device and one or more of the devices.
3. The device of claim 1, wherein the corollary device is a circuit and the switch is an analog switch that enables a power input on the circuit.
4. The device of claim 1 , wherein the corollary device is a bus and the switch is an analog switch that couples a load to the bus.
5. The device of claim 1, further comprising a memory 306 for storing a cryptographic secret 322.
6. The device of claim 1 , further comprising a timeout timer 310, wherein the event is an expiration of time at the timeout timer 310.
7. The device of claim 6, wherein the port comprises a receiver and a signal from the master device causes the timeout timer to reset.
8. The device of claim 1 , wherein the processor is operable to receive a ping from the master device and respond with an encrypted acknowledgement of the ping.
9. The device of claim 1 , wherein the port communicates over one of a dedicated wired bus and wireless network.
10. The device of claim 1, wherein the port communicates over a bus associated with data traffic for the corollary device.
11. A method of binding of components in a system comprising: disposing 804 a plurality of slave devices 230 in the system, each slave device capable of rendering inoperable a respective component of the system; determining 512 616 at the slave device when an event has occurred; and disabling 518 618 the respective component of the system responsive to the event.
12. The method of claim 11, further comprising disposing a master device 802 in the system, wherein the event is a signal from the master device for disabling the respective component of the system.
13. The method of claim 11, further comprising disposing a master device in the system wherein the event is a timeout 516 of a watchdog timer when a timer reset signal from the master device is absent during a predetermined timeout period.
14. The method of claim 11 , further comprising disposing a master device in the system and sending an acknowledgement 614 from the slave device to the master device responsive to a request from the master device.
15. The method of claim 14, further comprising disposing a master device in the system and sending a cryptographically verifiable acknowledgement 614 from the slave device to the master device responsive to a cryptographically verified request 612 from the master device.
16. The method of claim 11, further comprising disposing a master device in the system wherein the master sends a request message to each of the plurality of slave devices and sends a disable signal to the each of plurality of slave devices when a total of acknowledge messages responsive to the request message fail to meet a threshold level for acknowledgement messages.
17. A system 200 for securing an electronic device having a plurality of components comprising: one or more security devices 230 232 234, each of the one or more security devices associated with a corresponding one of the plurality of components 204 212 220, each of the one or more security devices capable of disabling its respective component, and a security master 226 in communication with each of the one or more communication devices, wherein each of the one or more security devices disables its respective one of the plurality of components when communication between the security master 226 and the one or more security devices 204 212 220 fails to reach an acceptable threshold.
18. The system of claim 17, wherein each of the one or more security devices comprises a timeout timer 310 that disables its respective one of the plurality of components unless reset by an acceptable threshold of communication during a timeout period.
19. The system of claim 17, wherein each of the one or more security devices responds to a poll from the security master and is responsive to a disable message from the security master when a threshold number of the one or more security devices fail to respond to the poll.
20. The system of claim 17, wherein the plurality of components comprises one of a memory controller 204, a disk controller 216, a data bus 219 220, a peripheral controller 210, a graphics controller 204, a peripheral device 212, and a processor 202.
PCT/US2008/051575 2007-01-29 2008-01-21 Master-slave security devices WO2008094779A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/668,446 US8151118B2 (en) 2007-01-29 2007-01-29 Master-slave security devices
US11/668,446 2007-01-29

Publications (1)

Publication Number Publication Date
WO2008094779A1 true WO2008094779A1 (en) 2008-08-07

Family

ID=39668871

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/051575 WO2008094779A1 (en) 2007-01-29 2008-01-21 Master-slave security devices

Country Status (2)

Country Link
US (1) US8151118B2 (en)
WO (1) WO2008094779A1 (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7849309B1 (en) 2005-12-09 2010-12-07 At&T Intellectual Property Ii, L.P. Method of securing network access radio systems
DE102007014114A1 (en) * 2007-03-23 2008-09-25 Liebherr-Werk Ehingen Gmbh mobile crane
JP5446439B2 (en) * 2008-07-24 2014-03-19 富士通株式会社 COMMUNICATION CONTROL DEVICE, DATA MAINTENANCE SYSTEM, COMMUNICATION CONTROL METHOD, AND PROGRAM
US8806190B1 (en) 2010-04-19 2014-08-12 Amaani Munshi Method of transmission of encrypted documents from an email application
JP5776927B2 (en) * 2011-03-28 2015-09-09 ソニー株式会社 Information processing apparatus and method, and program
WO2013012436A1 (en) 2011-07-18 2013-01-24 Hewlett-Packard Development Company, L.P. Reset vectors for boot instructions
US9276830B2 (en) * 2011-09-06 2016-03-01 Broadcom Corporation Secure electronic element network
US9705957B2 (en) 2013-03-04 2017-07-11 Open Garden Inc. Virtual channel joining
US20150169853A1 (en) * 2013-12-16 2015-06-18 Avinash Vijai Singh System and Process for Controlling A Portable Device
US9503975B2 (en) 2014-02-07 2016-11-22 Open Garden Inc. Exchanging energy credits wirelessly
US9436819B2 (en) * 2014-09-23 2016-09-06 Intel Corporation Securely pairing computing devices
WO2016137528A1 (en) * 2015-02-27 2016-09-01 Open Garden Inc. Apparatus and method for messaging security and reliability
WO2018034369A1 (en) * 2016-08-19 2018-02-22 전자부품연구원 Method for integrally controlling and managing home appliances by using agent
US11599557B2 (en) 2018-06-12 2023-03-07 Open Text Corporation System and method for persistence and replication of changes to a data store
US11861957B2 (en) * 2019-05-09 2024-01-02 Argo AI, LLC Time master and sensor data collection for robotic system
FR3103586B1 (en) * 2019-11-22 2023-04-14 St Microelectronics Alps Sas Method for managing the operation of a system on chip forming for example a microcontroller, and corresponding system on chip
FR3103584B1 (en) 2019-11-22 2023-05-05 St Microelectronics Alps Sas Method for managing the debugging of a system on chip forming for example a microcontroller, and corresponding system on chip
FR3103585B1 (en) 2019-11-22 2023-04-14 Stmicroelectronics Grand Ouest Sas Method for managing the configuration of access to peripherals and their associated resources of a system on chip forming for example a microcontroller, and corresponding system on chip

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005018161A1 (en) * 2003-08-19 2005-02-24 Keio University Radio communication device, ad hoc system, and communication system
EP1519536A2 (en) * 2003-09-29 2005-03-30 Samsung Electronics Co., Ltd. Home network device, home network system and method for automating take ownership process
EP1626579A1 (en) * 2004-08-11 2006-02-15 Thomson Licensing Device pairing
US20060129837A1 (en) * 2004-12-09 2006-06-15 Samsung Electronics Co., Ltd. Security device for home network and security configuration method thereof
KR20060103600A (en) * 2005-03-28 2006-10-04 엘지엔시스(주) Method and system for isolating the harmful traffic generating host from the network
KR20060110383A (en) * 2005-04-19 2006-10-25 엘지전자 주식회사 Multi-mode ciphering apparatus for network security processor

Family Cites Families (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4380698A (en) * 1980-07-25 1983-04-19 Roper Corporation Multiprocessor control bus
US4685056A (en) 1985-06-11 1987-08-04 Pueblo Technologies, Inc. Computer security device
US5774670A (en) 1995-10-06 1998-06-30 Netscape Communications Corporation Persistent client state in a hypertext transfer protocol based client-server system
US6190257B1 (en) 1995-11-22 2001-02-20 Nintendo Co., Ltd. Systems and method for providing security in a video game system
US6006266A (en) 1996-06-03 1999-12-21 International Business Machines Corporation Multiplexing of clients and applications among multiple servers
US5982894A (en) * 1997-02-06 1999-11-09 Authentec, Inc. System including separable protected components and associated methods
US7702926B2 (en) * 1997-07-15 2010-04-20 Silverbrook Research Pty Ltd Decoy device in an integrated circuit
US6611201B1 (en) * 1997-12-16 2003-08-26 Ventronix Corporation Method and apparatus for accessing, monitoring and controlled specified functions, features and accessories of a vehicle
US6249868B1 (en) 1998-03-25 2001-06-19 Softvault Systems, Inc. Method and system for embedded, automated, component-level control of computer systems and other complex systems
US6594765B2 (en) * 1998-09-29 2003-07-15 Softvault Systems, Inc. Method and system for embedded, automated, component-level control of computer systems and other complex systems
US6357007B1 (en) 1998-07-01 2002-03-12 International Business Machines Corporation System for detecting tamper events and capturing the time of their occurrence
US6334150B1 (en) * 1998-11-30 2001-12-25 International Business Machines Corporation Data processing system and method for remotely disabling a client computer system
US6463537B1 (en) 1999-01-04 2002-10-08 Codex Technologies, Inc. Modified computer motherboard security and identification system
US6836847B1 (en) 1999-03-05 2004-12-28 The Johns Hokins University Software protection for single and multiple microprocessor systems
US7124170B1 (en) 1999-08-20 2006-10-17 Intertrust Technologies Corp. Secure processing unit systems and methods
US6832251B1 (en) 1999-10-06 2004-12-14 Sensoria Corporation Method and apparatus for distributed signal processing among internetworked wireless integrated network sensors (WINS)
US20010048747A1 (en) 2000-04-27 2001-12-06 O'brien Terry Method and device for implementing secured data transmission in a networked environment
JP2001339383A (en) 2000-05-29 2001-12-07 Hitachi Ltd Semiconductor device for authentication communication
DE60230601D1 (en) 2001-01-10 2009-02-12 Cisco Tech Inc
US7007300B1 (en) 2001-05-10 2006-02-28 Advanced Micro Devices, Inc. Secure booting of a personal computer system
DE10162307A1 (en) 2001-12-19 2003-07-03 Philips Intellectual Property Production of mask-programmed ROMs, using a mask containing several systems, whereby encryption using the mask is carried out so that the produced systems have different keys
KR100547110B1 (en) 2002-12-17 2006-01-26 삼성전자주식회사 A binding update message transmitting method and a binding acknowledgement message transmitting method
US7366782B2 (en) 2003-04-14 2008-04-29 At&T Corp. Systems and methods for termination of session initiation protocol
JP3991927B2 (en) * 2003-06-12 2007-10-17 株式会社デンソー Anti-theft system
US20050242971A1 (en) * 2003-07-15 2005-11-03 Gregory Dryer System and method for safe disablement of mobile pieces of equipment (MPEs)
JP2005064885A (en) 2003-08-13 2005-03-10 Hitachi Ltd Remote monitoring system
US7566010B2 (en) 2003-12-26 2009-07-28 Semiconductor Energy Laboratory Co., Ltd. Securities, chip mounting product, and manufacturing method thereof
US20050160160A1 (en) 2003-12-29 2005-07-21 Nokia, Inc. Method and system for unified session control of multiple management servers on network appliances
US7849326B2 (en) 2004-01-08 2010-12-07 International Business Machines Corporation Method and system for protecting master secrets using smart key devices
CA2561130C (en) 2004-03-26 2018-01-30 Absolute Software Corporation Persistent servicing agent
US7159044B2 (en) * 2004-04-16 2007-01-02 Eagle Broadband, Inc. Input/output device disable control for PC-based consumer electronics device
US20060026422A1 (en) * 2004-07-29 2006-02-02 International Business Machines Corporation Method, apparatus, and product for providing a backup hardware trusted platform module in a hypervisor environment
US7409550B2 (en) 2004-08-16 2008-08-05 Mitsubishi Electric Research Laboratories, Inc. Method for binding networked devices
US7542430B2 (en) 2005-01-13 2009-06-02 Tektronix, Inc. System and method for measuring end-to-end network delay and user-perspective delay
US7502946B2 (en) 2005-01-20 2009-03-10 Panasonic Corporation Using hardware to secure areas of long term storage in CE devices
FR2881592A1 (en) 2005-02-02 2006-08-04 France Telecom Internet protocol and/or medium access control address spoofing detection method, involves detecting spoofing if identification mark, formed by analyzing response for stimulus, has signature different from that in valid identification mark
US7806938B2 (en) 2005-06-16 2010-10-05 Intel Corporation Security power control
US8214296B2 (en) 2006-02-14 2012-07-03 Microsoft Corporation Disaggregated secure execution environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005018161A1 (en) * 2003-08-19 2005-02-24 Keio University Radio communication device, ad hoc system, and communication system
EP1519536A2 (en) * 2003-09-29 2005-03-30 Samsung Electronics Co., Ltd. Home network device, home network system and method for automating take ownership process
EP1626579A1 (en) * 2004-08-11 2006-02-15 Thomson Licensing Device pairing
US20060129837A1 (en) * 2004-12-09 2006-06-15 Samsung Electronics Co., Ltd. Security device for home network and security configuration method thereof
KR20060103600A (en) * 2005-03-28 2006-10-04 엘지엔시스(주) Method and system for isolating the harmful traffic generating host from the network
KR20060110383A (en) * 2005-04-19 2006-10-25 엘지전자 주식회사 Multi-mode ciphering apparatus for network security processor

Also Published As

Publication number Publication date
US8151118B2 (en) 2012-04-03
US20080183305A1 (en) 2008-07-31

Similar Documents

Publication Publication Date Title
US8151118B2 (en) Master-slave security devices
US20080184341A1 (en) Master-Slave Protocol for Security Devices
JP5526450B2 (en) Method for changing hardware configuration, method for enabling hardware configuration change at a remote location, and apparatus therefor
JP5173436B2 (en) Binding a device to a computer
US8533801B2 (en) System and method for binding a subscription-based computing system to an internet service
CA2655151C (en) System and method for authenticating a gaming device
US9652755B2 (en) Method and system for securely updating field upgradeable units
TWI469612B (en) Simulacrum of physical security device and methods
US8255988B2 (en) Direct peripheral communication for restricted mode operation
US9588776B2 (en) Processing device
US20060075259A1 (en) Method and system to generate a session key for a trusted channel within a computer system
US20110093693A1 (en) Binding a cryptographic module to a platform
US20040199769A1 (en) Provision of commands to computing apparatus
WO2007053212A1 (en) Methods and systems for associating an embedded security chip with a computer
US20080183712A1 (en) Capacity on Demand Computer Resources
US20080184026A1 (en) Metered Personal Computer Lifecycle
Kostiainen et al. Credential disabling from trusted execution environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08727987

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08727987

Country of ref document: EP

Kind code of ref document: A1